Unraid Deck API Permissions: A Complete Security Guide

Learn which Unraid API permissions are required by Unraid Deck. Discover how to configure secure, read-only or read-write access for your home server.

Unraid Deck API Permissions: A Complete Security Guide

To ensure Unraid Deck operates smoothly and provides you with full control over your server, it requires specific access rights via the Unraid GraphQL API.

We believe in maximum transparency and the Principle of Least Privilege. This article outlines exactly which API permissions the app requests, what actions they enable, and why they are necessary.

1. Permission Breakdown

Unraid Deck permissions are categorized based on whether they only read data (Read-Only) or also modify the system state (Read & Write).

Basic System Monitoring (Read-Only)

These permissions allow the app to securely retrieve system telemetry and status overviews to display on your dashboard. They cannot modify any server settings.

  • INFO (READ_ANY): Retrieves basic system information, overall CPU/Memory/Network usage, and Unraid OS version.
  • SERVERS (READ_ANY): Retrieves server IP addresses and general configuration data.
  • REGISTRATION (READ_ANY): Verifies your Unraid license and authorization type.
  • SHARE (READ_ANY): Lists your user shares, their capacity, and basic configuration.
  • DISK (READ_ANY): Reads physical drive information and S.M.A.R.T. health status to detect potential failures.
  • LOGS (READ_ANY): Streams the system syslog, general logs, and the compatible container log path used by the app.
  • ME (READ_ANY): Verifies the permissions of the currently logged-in API user.
  • ONLINE (READ_ANY): Pings the server to detect if it’s currently online and reachable.
  • PERMISSION (READ_ANY): Retrieves the list of available API roles and permission constants.
  • VARS (READ_ANY): Reads system variables exposed by the API so the app can surface configuration-aware information safely.

Workload & Instance Control (Read & Write)

To manage your services directly from your iPhone, including batch operations, the app requires update permissions for Docker and VMs.

  • DOCKER (READ_ANY, UPDATE_ANY): Allows the app to list containers, view Docker logs, check update availability, and perform actions such as start, stop, pause, resume, and update on individual containers or in batches.
  • VMS (READ_ANY, UPDATE_ANY): Allows the app to list virtual machines and perform power actions such as start, stop, pause, resume, reboot, and force stop.

Storage / Parity Control (Read & Write)

To support storage management and parity-related controls inside the app, Unraid Deck also needs update access for array operations.

  • ARRAY (READ_ANY, UPDATE_ANY): Allows the app to monitor array health and parity status while also triggering supported storage and parity control actions directly from the app.

Notification Management (Read & Write)

Unraid Deck provides an integrated notification center. To allow you to interact with notifications, the following permissions are needed.

  • NOTIFICATIONS (READ_ANY, CREATE_ANY, UPDATE_ANY, DELETE_ANY): Allows the app to view notifications, mark them as read or unread, archive alerts in bulk, delete archived items, and create local notification entries when needed.

App Credential Management (Read & Write)

To securely manage its own connection credentials across your devices (if applicable):

  • API_KEY (READ_ANY, CREATE_ANY, DELETE_ANY, UPDATE_ANY): Allows the app to dynamically query, issue, and revoke restricted API keys for its own use.

2. API Key Quick Setup (Template)

If you are setting up your Unraid server to work with Unraid Deck, you can apply all the exact permissions listed above automatically using our template URL.

When creating a new API Key in Unraid (Settings -> Management Access -> API Keys), choose Create from Template and paste the following URL:

?name=Unraid+Deck&scopes=disk%2Binfo%2Blogs%2Bme%2Bonline%2Bpermission%2Bregistration%2Bservers%2Bshare%2Bvars%3Aread_any%2Carray%2Bdocker%2Bvms%3Aread_any%2Bupdate_any%2Capi_key%2Bnotifications%3Acreate_any%2Bdelete_any%2Bread_any%2Bupdate_any&description=Unraid+Deck+App+Key

This will instantly prefill all the necessary permissions tailored explicitly for Unraid Deck.

Pro Tip: If you prefer to use Unraid Deck strictly as a Read-Only monitoring dashboard and do not want it to control storage, parity, or services, you can safely remove the update_any and delete_any permissions from the ARRAY, DOCKER, VMS, and NOTIFICATIONS scopes before clicking Save. The app will still display all your data flawlessly, but action buttons will be disabled.